Department of Finance

Australian Government Assurance Reviews

Resource Management Guide No. 106

JULY 2017

1

Department of Finance

RMG-106: Australian Government Assurance Reviews

© Commonwealth of Australia 2016

ISBN: 978-1-925205-49-7 (Online)

With the exception of the Commonwealth Coat of Arms and where otherwise noted, all material presented in this document is provided under a Creative Commons Attribution 3.0 Australia () licence.

The details of the relevant licence conditions are available on the Creative Commons website (accessible using the links provided) as is the full legal code for the CC BY 3 AU licence.

Use of the Coat of Arms

The terms under which the Coat of Arms can be used are detailed on the following website: .

Contact us

Please direct questions or comments about the Australian Government Assurance Review Process to:

Assurance Reviews Unit

Investment, Capability and Assurance Branch

Efficiency, Assurance and Digital Government Division

Governance and APS Transformation

Department of Finance

1 Canberra Avenue

ForrestACT 2603

Email:

Internet:

1

Department of Finance

RMG-106: Australian Government Assurance Reviews

Contents

Australian Government Assurance Reviews

Audience

Key points

Resources

Introduction

Part 1 – Australian Government Assurance Reviews

Core principles

Variance between the IRA and Gateway review process

Interaction with ICT Investment Approval Process and Two Stage Capital Works Approval Process

Risk management

Part 2 – Conducting successful Assurance Reviews

The initiation stage

The planning meeting

The onsite review

The review report

Key elements for a successful Assurance Review

Part 3 – Roles and responsibilities

Entities

Assurance Reviews Unit

Reviewers

Part 4 – Implementation Readiness Assessment (IRA) methodology

Implementation Readiness Assessment ratings

Key focus areas

Report recommendation categories

Part 5 – Gateway review process (Gateway) methodology

Gateway for projects

Gateway for programs

Blended Gateway reviews

Combined Gateway reviews

Phased Gateway reviews

Intermediate assessments

Delivery Confidence Assessments (DCAs) for Gateway

Key focus area assessment ratings

Report recommendation categories

Previous recommendations and action taken

Enhanced Notification process

Action plan

Assurance of Action Plan (AAP)

Appendix A: Example document list required for a Review

Appendix B: Skills profile of an Assurance Reviewer

Appendix C: Handbook for conducting Assurance Reviews

Gateway for projects

Gate 0 – Business need review

Gate 1 – Business case review

Gate 2 – Delivery strategy review

Gate 3 – Investment decision review

Gate 4 – Readiness for service review

Gate 5 – Benefits realisation review

Gateway for programs

Implementation Readiness Assessments

Glossary and definitions

Audience

The Australian Government Assurance Reviews Framework applies to some non-corporate Commonwealth entities (NCEs). This guide applies to officials of NCEs who are responsible for conducting Assurance Reviews, and Assurance Reviewers.

Key points

This guide provides an overview of the Australian Government Assurance Reviews process and assist NCEs, Assurance Reviewers and other participants to understand their roles and responsibilities.

Assurance Reviews are principle based, providing flexibility for refining and adapting to changing environments, including financial risk and complexities associated with governance.

Information in this guide is designed to be applied using common sense as relevant to the circumstances of each program/project under review.

Resources

The information in this publication is based on the Gateway Review Pack—Best Practice (Version2), published by the State of Victoria through the Department of Treasury and Finance in 2004 and the Successful Delivery Toolkit (Version 4.5), published by the United Kingdom Office of Government Commerce (OGC), in 2004.

The Victorian Gateway documentation is subject to copyright protection by the State of Victoria and is reproduced with its permission. The Successful Delivery Toolkit is a Crown Copyright value-added product and is developed, owned and published by the OGC. It is subject to Crown Copyright protection and is reproduced under licence with permission of the Controller of Her Majesty’s Stationery Office and the OGC.

The Assurance Reviews Unit (ARU) in Finance provides a range of policy, guidance and assistance services in support of the Assurance Review function, including:

  • providing guidance on the completion of the Risk Potential Assessment Tool (RPAT).
  • facilitating Assurance Reviews and reviewer teams.
  • assisting entities that are subject to an Assurance Review on administrative and operational matters.
  • facilitating the provision of advice to Assurance reviewers related to policy enhancements and key issues.
  • developing reference and supporting materials.
  • periodically publishing lessons learned and better practice guidance from Assurance Reviews conducted.

This guide and related materials listed below are available on the Finance website at: .

Other relevant publications include:

  • Resource Management Guide No. 107: Risk Potential Assessment Tool and Guidance
  • Information Sheets and Questions and Answers
  • Information Sheet – Assurance Reviews Process Overview
  • Information Sheet – Shared Learning Building Public Sector Capability
  • Q&A for Senior Responsible Officials on the Assurance Review Process
  • Q&A for Review Team Members on the Assurance Reviews Process.

Introduction

  1. This guide provides a high-level overview of each assurance process and aims to demonstrate that each process has a ‘fit for purpose’ aspect. It also outlines the circumstances and criteria that trigger each assurance process, the general timing that would apply, and where to seek further detailed information and assistance.
  2. AppendixC: Handbook for Conducting Assurance Reviews provides a consistent framework from which to conduct Assurance Reviews across a range of different programs and projects. The Handbook includes examples of areas to probe and the type of evidence expected at key stages throughout program/project design, implementation and delivery.
  3. Implementation and delivery of policy initiatives is one of the key responsibilities of Commonwealth entities. While the planning process and advice leading up to cabinet decisions are critical for effective program/project implementation, there are separate aspects of program/project delivery that need to be addressed in the implementation phase after cabinet decisions have been made.

Part 1 – Australian Government Assurance Reviews

  1. External assurance can add important new insights to internal control, as well as an independent perspective to support the delivery of more complex programs/projects.
  2. Assurance Reviews do not replace an entity’s responsibility and accountability for implementation and delivery of a program/project. Assurance Reviews are designed to strengthen assurance practices and to build capability associated with the delivery and implementation of government programs/projects and services.
  3. Australian Government Assurance Reviews draw on a range of proven methodologies, including the Better Practice Guide on Successful Implementation of Policy Initiatives (Australian National Audit Office and the Department of the Prime Minister and Cabinet (PM&C), October 2014) and the United Kingdom’s Office of Government Commerce, (OGC) Gateway Review Process[1].
  4. There are two key types of Australian Government Assurance Reviews administered by the Department of Finance:
  • Implementation Readiness Assessments (IRA)
  • Gateway reviews (Gateway)
  1. The IRA was introduced in 2011. The purpose of the IRA is to provide assurance to the responsible Minister, the accountable authority and cabinet on how well practical delivery issues are being addressed for the proposed government programs/projects.
  2. The government introduced Gateway in the 2006-07 Budget, focusing initially on projects that satisfied certain financial thresholds or were identified as high risk. However, complexity and implementation challenges associated with program delivery, particularly cross-portfolio programs, led the government to extend the application of the Gateway assurance methodology to apply to programs as well (2011). The purpose of Gateway is to strengthen existing governance and assurance practices, and to increase program/project management capability across government.
  3. Experience and feedback has shown that Assurance Reviews assist with:
  • development and maintenance of robust business cases with key milestones, deliverables and benefits clearly articulated.
  • implementation design and planning.
  • development of risk management strategies to address challenges associated with competing priorities, resources and capability, as well as complexities associated with cross-jurisdictional responsibilities.
  • management of regulatory environments that may expose a program/project to failure if not properly identified and managed.
  • development of governance, accountability and reporting strategies to ensure appropriate support and oversight during implementation and delivery.
  • building capability and cultivating better practice through independent peer review and monitoring.

Core principles

  1. Fundamental to the ongoing success of the Assurance Reviews process are its core principles, which focus on:
  • providing independent assurance on how best to ensure that programs/projects are successful.
  • aligning benefits to entity and government strategic objectives with clear measurable targets, timelines and owners.
  • building capability through access to highly credentialed reviewers who provide mentoring and coaching.
  • promulgating the lessons learned.
  1. Key characteristics of Assurance Reviews are:
  • short duration - generally no more than five days.
  • based on non-attributable interviews.
  • flexibility in timing and scope, tailored to reflect the stage of policy development and delivery.
  • value-add - the specialist pool of senior reviewers have skills and experience relevant to the policy delivery environment.

Variance between the IRA and Gateway review process

Review / Timing / Review Report / Objective
IRA / Standalone review can occur prior to a cabinet decision or soon after. / Provided to:
  • NCE subject to the review
  • Central entities
  • Government
/ To support the decision making process by providing government and the accountable authority with assurance on how well practical delivery issues are being addressed.
Gateway / Multiple reviews which occur throughout the program/project lifecycle. / Provided to:
  • Senior Responsible Official (SRO) within the relevant entity
  • ARU for promulgation of lessons learnt
/ To support the successful delivery of a program/project by providing the SRO with an assessment that highlights issues that may jeopardise the delivery of benefits.
  1. If a program/project is subject to both an IRA and Gateway, both processes would be integrated to minimise the potential for review burden. E.g., the IRA may replace the pre-decision review stages of the Gateway process.

Interaction with ICT Investment Approval Process and Two Stage Capital Works Approval Process

  1. The Assurance Reviews Framework is designed to complement the ICT Investment Approval Process and the Two Stage Capital Works Approval Process. If a program/project is subject to both Gateway and the ICT Investment Approval Process or the Two Stage Capital Works Approval Process, the requirement to conduct Gateway Gate 0 and Gate 1 reviews is not mandatory. Gateway would only commence after the approval process has been concluded or if the entity opted to participate in reviews during the approval process.

Risk management

  1. Better practice demonstrates that the identification and treatment of risk is undertaken at the earliest opportunity during policy design. This is an important element of the control framework necessary for effective program/project implementation.
  2. Risks are things that may happen at some point in the future and have the potential to negatively impact on the policy and the realisation of objectives. It is essential that risks are identified and actively managed in order to reduce their likelihood of happening or their impact on the policy or program/project.
  3. By identifying key factors that affect policy performance and considering how they may evolve in the future, policies can be made more robust to a range of anticipated conditions and indicators developed to identify when policy adjustments are required.
  4. NCEs are responsible for assessing the inherent risk factors associated with their New Policy Proposals (NPP). The Risk Potential Assessment Tool (RPAT)[2] is a standardised risk analysis tool designed to assist NCEs with this process. The resultant risk rating can inform whether additional assurance processes is recommended to government. In making this determination, Finance will consult with relevant stakeholders including the relevant entity and other central entities.
  5. Decisions to commission Assurance Reviews are made by government, usually during the pre-budget considerations of NPPs and Portfolio Budget Submissions. In exceptional circumstances, the Minister for Finance, in consultation with the Prime Minister and the Treasurer, can make the decision to commission an Assurance Review.
  6. NCEs are encouraged to consider the scheduling of their cabinet submission timetable to allow for potential pre-decision Assurance Reviews.

Part 2 – Conducting successful Assurance Reviews

  1. Assurance Reviews consist of four distinct steps requiring the entity’s engagement and participation. The following sections outline the core elements of each stage and highlight some of the key elements for undertaking a successful Assurance Review.

The initiation stage

  1. Once an Assurance Review has been commissioned, ARU will contact the SRO and/or the Program/Project Manager to: clarify the characteristics of the program/project, discuss the timing and logistics of the review process, and discuss the skill requirements needed for the Assurance Review Team including potential reviewers.
  2. Following this, ARU will finalise the Assurance Review Team, including the Review Team Leader (RTL), and brief the Assurance Review Team on the program/project and their role in the review.
  3. At this point, the primary responsibility for coordinating the review passes to the RTL and Program/Project Manager. ARU will continue to support the conduct of the review and will be available to provide advice throughout the duration of the review.

The planning meeting

  1. A half-day planning meeting is held at the entity’s premises approximately two to three weeks prior to the onsite review. The planning meeting allows the SRO the opportunity to meet with the Assurance Reviews Team, discuss key issues and to brief the team about the program/project. Some of the topics that may be covered during the planning meeting include:
  • policy, service delivery, legal, governance and/or contractual context of the program/project including reasons for the program/project being initiated
  • relationship of the program/project with government policy, legislation and the entity’s (or entities’) outputs and outcomes
  • options considered in developing the course of action
  • benefits and outcomes the program/project will be expected to deliver and how they will be measured, realised and maximised
  • the program/project’s status, progress to-date and planned future work
  • implementation of the project plan, including an outline of the resourcing, funding and planning arrangements
  • communications and change management strategies
  • risks associated with the program/project, and how they will be managed.
  1. The Assurance Reviews Team will make requests for documentation and interviews with key stakeholders during the onsite review week.
  • The Program/Project Manager is encouraged to compile a draft list of documents (using AppendicesA and C as a guide) and interviewees for the Assurance Reviews Team’s consideration.
  • The Program/Project Manager is responsible for organising the interviews prior to the onsite review and making the documents available to the Assurance Review Team soon after the planning meeting. The documents can be provided either electronically (i.e. Govdex) or in hardcopy. Certain classified material may only be made available on the entity’s premises.
  1. The planning meeting also provides an opportunity to ‘plan’ the review. This includes discussing the review agenda, resourcing requirements, and protocols for the review. E.g., prior to the onsite review, the Program/Project Manager will also need to organise facilities for the Assurance Review Team. This may include:
  • a meeting room with a projector, laptop and/or access to a printer (as requested by the RTL)
  • building security passes; and
  • a cabinet of appropriate security rating to secure documentation.
  1. In addition to the above, the IRA process will also include planning meetings with central entity representatives.

The onsite review

  1. The onsite review is held at the entity’s premises usually over five working days. The purpose of the review is to provide the SRO with an assessment of the program/project’s progress against its stated objectives, as well as a Delivery Confidence Assessment (DCA) rating (Gateway), or an assessment of the potentialissues and risks to successful implementation (IRA).
  2. The onsite review includes an examination of the requested documentation and interviews with key program/project stakeholders. Where possible, the Assurance Review Team is encouraged to review the documentation provided by the entity prior to the first day of the onsite review.
  3. Generally, on the first morning of the review week the Program/Project Manager will meet with the Assurance Review Team to clarify arrangements for the week and confirm interviews. In the case of most reviews, the first three days of the review will primarily be used for interviews and documentation review, the fourth day will be used for drafting the review report, and the fifth day will be used to finalise the review report.
  4. Interviews will generally take between 30-45 minutes unless otherwise requested by the Assurance Review Team. Interviews are best conducted in person, however in some cases, teleconferences may be necessary. The Assurance Review Team will usually request a short break between interviews to discuss key issues and compile notes on their findings which will form the basis of the review report.
  5. At the end of each day, the RTL will brief the SRO on the day’s findings. This provides the SRO with an opportunity to address any misunderstandings, progress outstanding issues or provide additional information if required. This also ensures that the review report doesn’t contain any surprises for the SRO. During an IRA, the RTL will also regularly brief ARU.

The review report

  1. The Assurance Review Team will commence drafting the report as soon as practicable. The report, including conclusions and recommendations, will be finalised and presented to the SRO as a draft on the penultimate day of the review by the Assurance Review Team. The reviewers will base the report on the interviews conducted and the documentation read, applying judgement and expertise. The SRO and entity will have the opportunity to provide comment on the draft report.
  2. On the last day of the review, the final report will be provided to the SRO by the Assurance Review Team. ARU will also be provided with a copy of the report to assist with the development of lessons learnt from Assurance Reviews. The final report, which will be signed by all members of the Assurance Review Team, will include:
  • the Assurance Review Team’s assessment of overall delivery confidence (Gateway) or potential issues and risks to successful implementation (IRA)
  • key findings and any recommendations, indicating when it is advisable to take action
  • an overall conclusion on the program/project’s status and its readiness to progress to the next phase (Gateway)
  • background to the program/project, including its origin, the outcomes it seeks to achieve, and how the outcomes link to the entity’s business strategy and/or high level policy objectives
  • the purpose, scope and approach of the review, logistics of the review, including review dates, SRO, Assurance Review Team membership, stakeholders interviewed and documents reviewed; and
  • the progress achieved against previous review recommendations (if applicable).
  1. Gateway review reports are for the purpose of informing the entity and as such, they are only provided to the SRO. SROs are encouraged to circulate their reports with key stakeholders and governance arrangements. The aim is to ensure that the appropriate people are aware of issues arising and problems identified, and are able to take the requisite action[3].
  2. Sharing and reviewing outputs of assurance activities underpins an effective integrated assurance model, and maintaining an integrated assurance log can be a useful tool. Entities are encouraged to escalate the outcomes and recommendations from assurance to the level where appropriate remedial actions can be sanctioned.
  3. IRA review reports are provided to the responsible minister, the portfolio secretary and/or accountable authority, the SRO, Finance, PM&C and the Treasury. Finance will also refer to the outcome of the IRA in a briefing provided to government.
  4. Gateway reports provided to accountable authorities are subject to the Freedom of Information Act 1982 (FOI Act). The entity has responsibility for dealing with FOI requests for Gateway reports. Other information held by entities or by ARU related to a Gateway review may also be subject to the FOI Act.

Key elements for a successful Assurance Review

Planning and coordination